Splunk Search
Highlighted

how to pass the output of one query as search key to a subsearch?

Contributor

I have raw events that look as below:

2018:08:22:22:39:51.731 myhostname 3:INFO MYIDENTIFIERTEST 548026790130303164 454
2018:08:22:22:39:51.731 myhostname 3:INFO MYSTRMETHODACTION.COMPONENT TEST 548026790130303164
2018:08:22:22:39:51.752 myhostname 1:ERR1 MY
SERVICE_TYPE STRTST 548026790130303164 ERRMSG : Main problem: Sub problem message

=====================================
I want to create a table that have equal "548026790130303164" values in 2dn and and 3rd row.
need help in getting the right search query.

I want the three column table output like below:

548026790130303164 "MYSTRMETHOD_ACTION.COMPONENT" "ERRMSG : Main problem: Sub problem message"

0 Karma
Highlighted

Re: how to pass the output of one query as search key to a subsearch?

SplunkTrust
SplunkTrust

@bkumarm

you can use transaction command to co-relate events.
http://docs.splunk.com/Documentation/Splunk/7.1.3/SearchReference/Transaction

Can you please tell me in which field you are getting value 548026790130303164? So I can help you to design search.

0 Karma
Highlighted

Re: how to pass the output of one query as search key to a subsearch?

Contributor

I need a list of refids that have MYSTRMETHOD_ACTION and ERRMSG : Main problem: Sub problem message

Example:
2018:08:22:22:39:51.731 myhostname 3:INFO MYIDENTIFIER1TEST 548026790130303164 454
2018:08:22:22:39:51.731 myhostname 3:INFO MYSTRMETHODACTION1.COMPONENT1 TEST 548026790130303164
2018:08:22:22:39:51.752 myhostname 1:ERR1 MY
SERVICE_TYPE STRTST 548026790130303164 ERRMSG : Main problem1: Sub problem message11

the output should be
548026790130303164 MYSTRMETHOD_ACTION1.COMPONENT1 ERRMSG : Main problem1: Sub problem message11

0 Karma